Nearly every web application has at least one vulnerability, according to the 2017 Trustwave Global Security Report, released Tuesday. Of the apps scanned by Trustwave for the report, 99.7% included at least one vulnerability, with the mean number of vulnerabilities in web apps being 11.

In addition to looking at application security, the Trustwave report also includes information on data breaches as well. The median number of days it took to detect an intrusion dropped to 49 in 2016 from 80.5 days in 2015. However, internally-detected breaches were typically found in about 16 days, a much shorter time period.

Geographically, North America was hit hard, with 49% of data breaches occurring there, the report said. The Asia Pacific region claimed 21% of breaches, while 20% happened in Europe, the Middle East, and Africa (EMEA), and 10% in Latin America. Retail was the most affected industry, accounting for 22% of breaches, according to the report.

Likely contributing to retail breaches were the increases in security incidents involving POS (point of sale) systems. Those incidents rose from 22% in 2015 to 31% in 2016, the report found. E-commerce incidents dropped by 12% in the same timeframe. Additionally, the most "at-risk" data was found to be payment card information.

The Trustwave report also found that zero-day vulnerabilities are bringing their creators a hefty payday in some cases. In one instance cited by the report, an undisclosed Windows zero-day vulnerability and the exploit code to go with it had a price tag of $95,000.

On the opposite end of the price spectrum, malvertisements offered cybercriminals a big bang for their buck. A mere $5 could allow criminals to infect 1,000 vulnerable computers with the malicious advertising.

Malware is also becoming more tricky to detect, with 83% of malware samples tested for the report using obfuscation to hide. The report also found that 36% were using encryption.

More and more spam email is making use of malware, too. In 2016, 35% of spam messages contained malware, which is a dramatic increase from the 3% in 2015. And some 60% of all inbound email tested was categorized as spam, up 6% from the previous year.

For more detailed information on the threat landscape, check out the full report here.

The 3 big takeaways for TechRepublic readers

Some 99.7% of web applications have at least one vulnerability, according to a recent Trustwave report.

The report said that 49% of data breaches occurred in North America, specifically targeting payment card information and the retail industry.

Malware is becoming more difficult to detect, and more spam email is making use of malware as well, the report found.